Vanta MCP Server
Connect Claude, Cursor, and other AI agents to your Vanta compliance data over MCP.
Updated
What is Vanta MCP?
The Vanta MCP server is a Model Context Protocol server that connects AI agents like Claude and Cursor to your Vanta account, letting them securely read and act on your security-compliance data.
Vanta is a compliance automation platform that continuously monitors controls, collects evidence, and tracks your progress toward frameworks like SOC 2, ISO 27001, and others. The MCP server exposes that data to an AI agent so it can answer questions like "What's my SOC 2 completion status?", surface failing tests, inspect controls and evidence documents, and even propose code fixes and pull requests to remediate issues—without leaving the editor.
It is a remote server hosted by Vanta. Connect to the regional endpoint for your tenant (https://mcp.vanta.com/mcp for US, https://mcp.eu.vanta.com/mcp for EU, https://mcp.aus.vanta.com/mcp for Australia). Authentication uses OAuth: when you run /mcp in your client, Vanta opens an authorization page where you sign in and click Allow. Access is currently limited to Vanta Admins on the Core package or above. (An earlier self-hosted VantaInc/vanta-mcp-server repo is now deprecated in favor of this hosted server.)
Tools the Vanta MCP server exposes
| Tool | What it does |
|---|---|
| tests | Retrieve automated security and compliance tests with filtering options. |
| list_test_entities | List the resources a specific test monitors, including failures. |
| controls | List security controls or fetch one by ID with framework mapping. |
| list_control_tests | Enumerate the tests that validate a specific control. |
| list_control_documents | List evidence documents attached to a control. |
| documents | List compliance documents or retrieve a specific document's details. |
| integrations | List connected integrations with their resource kinds and status. |
| frameworks | List compliance frameworks (e.g. SOC 2, ISO 27001) with completion metrics. |
| list_framework_controls | Retrieve a framework's controls with implementation guidance. |
| people | List people or look up an individual with role and membership metadata. |
| risks | List risk scenarios or fetch a scenario with treatment information. |
| vulnerabilities | List detected vulnerabilities with CVE data and affected assets. |
Connect the Vanta MCP server
Claude Code
- 1
Add the Vanta MCP server
Run: claude mcp add --transport http vanta https://mcp.vanta.com/mcp (use the EU/AUS URL if that's your region).
- 2
Authenticate
Run /mcp in Claude Code, select Vanta, and complete the OAuth flow in the browser (click Allow). You must be a Vanta Admin.
- 3
Optional: install the plugin
For extra slash commands, run /plugin install vanta-mcp-plugin@claude-plugins-official, then /reload-plugins. Adds /vanta:list-tests and /vanta:fix-test (generate fixes and PRs).
Vanta hosts a separate server per region—use the URL that matches your tenant.
Cursor
- 1
Open MCP settings
Go to Settings -> Tools & MCP -> Add custom MCP.
- 2
Add the server
Add an HTTP MCP entry with URL https://mcp.vanta.com/mcp (or your regional EU/AUS URL).
- 3
Authenticate
Trigger the connection and complete Vanta's OAuth login (click Allow). Cursor exposes all MCP tools, though Claude-specific plugin slash commands aren't available.
Sample use cases
Daily compliance standup
A scheduled agent reports SOC 2 / ISO 27001 completion and any newly failing tests to your team channel.
Failing-test remediation
An agent surfaces prioritized failing tests, inspects the linked controls, and (with the plugin) generates code fixes and pull requests.
Audit-evidence lookup
Ask the agent which documents serve as evidence for a control instead of clicking through the Vanta UI.
Risk and vulnerability triage
An agent lists open risk scenarios and CVE-tagged vulnerabilities with affected assets for review.
Security & permissions
Authentication is OAuth: connecting opens a Vanta authorization page where you sign in and explicitly grant the AI client access. The agent then acts against the Vanta API on your behalf, scoped to your tenant's data—frameworks, controls, tests, evidence documents, integrations, people, risks, and vulnerabilities. Access is currently restricted to Vanta Admins on the Core package or above, so the connected agent inherits broad read access to your compliance posture and (via remediation tools/plugin) can propose code fixes and pull requests. Treat the connection as you would any privileged admin integration and review agent actions before applying changes.
Using Vanta MCP with Gamut
In a Gamut workflow, the Vanta MCP server becomes a tool your agent calls on a schedule or in response to events—Gamut manages the OAuth connection so the agent can reach Vanta without manual re-auth. For example, a scheduled agent can pull frameworks completion metrics each morning and post your SOC 2 status to Slack, or an event-triggered agent can list failing tests, inspect the affected controls, and open a remediation ticket—all without a human in the loop. The agent only does what Vanta's tools and your Admin scope permit; Gamut handles connection and orchestration, not Vanta's underlying permissions.
Frequently asked questions
What is the Vanta MCP server?
It's a Model Context Protocol server hosted by Vanta that connects AI agents (Claude, Cursor, and others) to your Vanta compliance account—letting them query frameworks, controls, tests, evidence, risks, and vulnerabilities, and help remediate failing tests.
Is the Vanta MCP server free?
There's no standalone free tier. It's included for Vanta customers on the Core package or above, and you must be a Vanta Admin to connect. You need an active Vanta subscription to use it.
How do I connect Vanta MCP to Claude Code or Cursor?
For Claude Code, run claude mcp add --transport http vanta https://mcp.vanta.com/mcp, then /mcp and complete the OAuth login. For Cursor, go to Settings -> Tools & MCP -> Add custom MCP and add the same URL, then authenticate. Use the EU or AUS regional URL if that's your tenant.
Is the Vanta MCP server hosted or self-hosted?
It's hosted by Vanta as a remote server with regional endpoints (US, EU, AUS) and OAuth auth. The earlier self-hosted VantaInc/vanta-mcp-server repo is deprecated—Vanta directs users to the hosted server instead.